Btech admission in india

By:admission.edhole.com

• RFC 2409 (novembre 1998)

• ISAKMP (Internet Security Association and Key Management Protocol, RFC 2408)

• DoI (IPSec Domain of Interpretation for ISAKMP, RFC 2407)

Sécurité des Réseaux, Master CSI 2

J.Bétréma, LaBRI, Université Bordeaux 1

admission.edhole.com

There are two ways to design a system:

• One is to make it so simple there are obviously no deficiencies.

• The other is to make it so complex there are no obvious deficiencies.

C.A.R. Hoare

Miraculously, people were able to implement IKE, and even interoperate…

Kaufman, Perlman, SpecinerNetwork Security


• Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. This is called the ISAKMP Security Association (SA).

• Phase 2 is where Security Associations are negotiated on behalf of services such as IPsec or any other service which needs key material and/or parameter negotiation.

• With the use of ISAKMP phases, an implementation can accomplish very fast keying when necessary. A single phase 1 negotiation may be used for more than one phase 2 negotiation. Additionally a single phase 2 negotiation can request multiple Security Associations. With these optimizations, an implementation can see less than one round trip per SA as well as less than one DH exponentiation per SA.

RF

C 2

409,

sec

tion

4. I

ntro

duct

ion


• La phase 1 peut se dérouler en « mode principal » (main mode, 6 messages) ou en « mode agressif » (aggressive mode, 3 messages).

• La phase 2 se déroule en « mode rapide » (quick mode).


Main Mode is an instantiation of the ISAKMP Identity Protect Exchange:

• The first two messages negotiate policy;

• the next two exchange Diffie-Hellman public values and ancillary data (e.g. nonces) necessary for the exchange;

• and the last two messages authenticate the Diffie-Hellman Exchange.

The authentication method negotiated as part of the initial ISAKMP exchange influences the composition of the payloads but not their purpose. The XCHG for Main Mode is ISAKMP Identity Protect. R

FC

240

9, s

ectio

n 5.

Exc

hang

es


Initiator Responder----------- -----------HDR, SA --> <-- HDR, SA

RFC 2409, sections 5.1 à 5.4 :n’est-ce pas clair ?

• HDR (header) désigne l’en-tête d’un message ISAKMP

• SA désigne une « charge utile » (payload) de type Security Association, pour en savoir plus, il faut consulter la RFC 2408 (ISAKMP).

• Ces messages contiennent chacun une liste de protocoles cryptographiques, proposés par Alice (initiator) ou acceptés par Bob (responder).

• Codage complexe, dans un jargon obscur : voir section 4.2 de la RFC 2408.


The following attributes are used by IKE and are negotiated as part of the ISAKMP Security Association.

• encryption algorithm

• hash algorithm

• authentication method

• information about a group over which to do Diffie-Hellman.

All of these attributes are mandatory and MUST be negotiated.RF

C 2

409,

sec

tion

4. I

ntro

duct

ion


IKE implementations MUST support the following attribute values:

• DES in CBC mode with a weak, and semi-weak, key check (weak and semi-weak keys are listed in Appendix A). The key is derived according to Appendix B.

• MD5 and SHA.

• Authentication via pre-shared keys.

• MODP over default group number one.

RF

C 2

409,

sec

tion

4. I

ntro

duct

ion


In addition, IKE implementations SHOULD support:

• 3DES for encryption;

• Tiger for hash;

• the Digital Signature Standard, RSA signatures and authentication with RSA public key encryption;

• and MODP group number 2.

IKE implementations MAY support any additional encryption algorithms defined in Appendix A and MAY support ECP and EC2N groups.R

FC

240

9, s

ectio

n 4.

Int

rodu

ctio

n


• An ISAKMP message has a fixed header format, followed by a variable number of payloads.

• The fixed header contains the information required by the protocol to maintain state, process payloads and possibly prevent denial of service or replay attacks.

• The presence and ordering of payloads in ISAKMP is defined by and dependent upon the Exchange Type Field located in the ISAKMP Header

Network Working Group D. MaughanRequest for Comments: 2408 National Security AgencyCategory: Standards Track M. Schertler Securify, Inc.Internet Security Association M. Schneiderand Key Management Protocol (ISAKMP) National Security Agency J. Turner RABA Technologies, Inc. November 1998


1 2 30 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+! Initiator !! Cookie !+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+! Responder !! Cookie !+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+! Message ID !+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+! Length !+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Figure 2: ISAKMP Header Format


• Anti-Clogging Token (to clog = obstruer, encrasser) : pour gêner les attaques DoS (déni de service).

• La requête initiale peut être falsifiée (IP spoofing), le serveur ne doit pas consommer de ressource (mémoire, temps de calcul) avant réception du message suivant de la part du client (supposé), codé selon les règles ISAKMP.

• Pour que le serveur ne consomme aucune ressource prématurément, il doit pouvoir vérifier le « responder cookie » en mode « stateless »: Karn's suggested method for creating the cookie is to perform a fast hash (e.g. MD5) over the IP Source and Destination Address, the UDP Source and Destination Ports and a locally generated secret random value.

• Impossible ici, car il faut mémoriser les termes de la négociation, inclus dans les deux premiers messages…


Initiator Responder---------- -----------HDR, KE, Ni --> <-- HDR, KE, Nr

• KE désigne une « charge utile » (payload) de type Key Exchange, pour en savoir plus, il faut consulter la RFC 2408 (ISAKMP).

• N désigne une « charge utile » (payload) de type Nonce.

• RFC 2408 : The Key Exchange Payload supports a variety of key exchange techniques. Example key exchanges are Oakley, Diffie-Hellman, the enhanced Diffie-Hellman key exchange described in X9.42 [ANSI], and the RSA-based key exchange used by PGP.

RFC 2409, section 5.4,messages 3 et 4,clef secrète partagée.


With IKE, the group in which to do the Diffie-Hellman exchange is negotiated. Four groups -- values 1 through 4 -- are defined below. These groups originated with the Oakley protocol and are therefore called "Oakley Groups". These groups were all generated by Richard Schroeppel at the University of Arizona.

RF

C 2

409,

sec

tion

6. O

akle

y gr

oups


First Oakley Default Group

Oakley implementations MUST support a MODP group with the following prime and generator. This group is assigned id 1 (one).

The prime is: 2^768 - 2 ^704 - 1 + 2^64 * { [2^638 pi] + 149686 }

Its hexadecimal value is

FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD129024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DDEF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF

The generator is: 2.


Second Oakley Default Group

IKE implementations SHOULD support a MODP group with the following prime and generator. This group is assigned id 2 (two).

The prime is 2^1024 - 2^960 - 1 + 2^64 * { [2^894 pi] + 129093 }.

Its hexadecimal value is

FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD129024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DDEF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7EDEE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381FFFFFFFF FFFFFFFF

The generator is 2 (decimal)


Third Oakley Group

IKE implementations SHOULD support a EC2N group with the following characteristics. This group is assigned id 3 (three).

The curve is based on the Galois Field GF[2^155]. The field size is 155. The irreducible polynomial for the field is: u^155 + u^62 + 1.

The equation for the elliptic curve is: y^2 + xy = x^3 + ax^2 + b.

Field Size: 155 Group Prime/Irreducible Polynomial: 0x0800000000000000000000004000000000000001 Group Generator One: 0x7b Group Curve A: 0x0 Group Curve B: 0x07338f

Group Order: 0X0800000000000000000057db5698537193aef944


Third Oakley Group

The data in the KE payload when using this group is the value x from the solution (x,y), the point on the curve chosen by taking the randomly chosen secret Ka and computing Ka*P, where * is the repetition of the group addition and double operations, P is the curve point with x coordinate equal to generator 1 and the y coordinate determined from the defining equation.

Fourth Oakley Group

This group is assigned id 4 (four). The curve is based on the Galois Field GF[2^185]. The field size is 185. The irreducible polynomial for the field is: u^185 + u^69 + 1 etc. Group Generator One: 0x18 Group Curve A: 0x0 Group Curve B: 0x1ee9 Group Order: 0X01ffffffffffffffffffffffdbf2f889b73e484175f94ebc


Nonce Payload (RFC 2408)

The Nonce Payload contains random data used to guarantee liveness (sic) during an exchange and protect against replay attacks. The nonces may be transmitted as part of the key exchange data, or as a separate payload. However, this is defined by the key exchange, not by ISAKMP.


Initiator Responder---------- -----------HDR*, IDii, HASH_I --> <-- HDR*, IDir, HASH_R

RFC 2409, section 5.4,messages 5 et 6,clef secrète partagée.

• IDx is the identification payload for "x". x can be: "ii" or "ir" for the ISAKMP initiator and responder respectively during phase one negotiation; or "ui" or "ur" for the user initiator and responder respectively during phase two.

• HASH (and any derivative such as HASH_I) is the hash payload. The contents of the hash are specific to the authentication method.

• Ces messages sont chiffrés (notation HDR*) avec SKEYID_e (voir plus loin), pour protéger l’identité des partenaires.

RF

C 2

409,

sec

tion

3.2.

Not

atio

n


• SKEYID_d = prf (SKEYID, g^xy | CKY-I | CKY-R | 0)

• SKEYID_a = prf (SKEYID, SKEYID_d | g^xy | CKY-I | CKY-R | 1)

• SKEYID_e = prf (SKEYID, SKEYID_a | g^xy | CKY-I | CKY-R | 2)

• SKEYID is a string derived from secret material known only to the active players in the exchange.

• SKEYID_e is the keying material used by the ISAKMP SA to protect the confidentiality of its messages.

• SKEYID_a is the keying material used by the ISAKMP SA to authenticate its messages.

• SKEYID_d is the keying material used to derive keys for non-ISAKMP security associations.R

FC

240

9, s

ectio

n 3.

2. N

otat

ion

RF

C 2

409,

sec

tion

5. E

xcha

nges


If a "prf" is not negotiated, the HMAC version of the negotiated hash algorithm is used as a pseudo-random function.

• La clé est complétée (padding) par des 0, pour atteindre 512 bits.

• Si la clé dépasse 512 bits, elle est d’abord condensée (digest)

• const1 est une suite de 64 octets, égaux chacun à 0x36

• const2 est une suite de 64 octets, égaux chacun à 0x5c


Initiator Responder----------- -----------HDR, SA, KE, Ni, IDii --> <-- HDR, SA, KE, Nr, IDir, HASH_RHDR, HASH_I -->

RFC 2409, section 5.4, clef secrète partagée.

Section 4. Introduction : when identity protection is not needed, "Aggressive Mode" can be used to reduce round trips.


Four different authentication methods are allowed with either Main Mode or Aggressive Mode :

• digital signature,

• two forms of authentication with public key encryption,

• pre-shared key.

The value SKEYID is computed seperately for each authentication method.

RF

C 2

409,

sec

tion

5. E

xcha

nges


Initiator Responder----------- -----------HDR, SA --> <-- HDR, SAHDR, KE, Ni --> <-- HDR, KE, NrHDR*, IDii, [ CERT, ] SIG_I --> <-- HDR*, IDir, [ CERT, ] SIG_R

RF

C 2

409,

sec

tion

5.1

Seuls les messages 5 et 6 changent, et :

SKEYID = prf (Ni_b | Nr_b, g^xy)


RF

C 2

409,

sec

tion

5.1 • The signed data, SIG_I or SIG_R, is the result of the negotiated digital signa-

ture algorithm applied to HASH_I or HASH_R respectively.

• In general the signature will be over HASH_I and HASH_R as above using the negotiated prf, or the HMAC version of the negotiated hash function (if no prf is negotiated).

• However, this can be overridden for construction of the signature if the signature algorithm is tied to a particular hash algorithm (e.g. DSS is only defined with SHA's 160 bit output).

• One or more certificate payloads MAY be optionally passed.

• HASH_I = prf (SKEYID, g^xi | g^xr | CKY-I | CKY-R | SAi_b | IDii_b )

• HASH_R = prf (SKEYID, g^xr | g^xi | CKY-R | CKY-I | SAi_b | IDir_b )R

appe

l


Initiator Responder----------- -----------HDR, SA, KE, Ni, IDii --> <-- HDR, SA, KE, Nr, IDir, [ CERT, ] SIG_RHDR, [ CERT, ] SIG_I -->

Mode agressif :


Initiator Responder----------- -----------HDR, SA --> <-- HDR, SAHDR, [ HASH(1), ] <Ni_b>Pubkey_r, <KE_b>Ke_i, <IDii_b>Ke_i, [<Cert-I_b>Ke_i] --> HDR, <Nr_b>PubKey_i, <KE_b>Ke_r, <-- <IDir_b>Ke_r,HDR*, HASH_I --> <-- HDR*, HASH_R

RF

C 2

409,

sec

tion

5.3

mét

hode

rév

isée

SKEYID = prf (hash (Ni_b | Nr_b), CKY-I | CKY-R)

Seuls les messages 3 et 4 sont nouveaux, et :


RF

C 2

409,

sec

tion

5.2

• Using encryption for authentication provides for a plausably deniable exchange. There is no proof (as with a digital signature) that the conver-sation ever took place since each party can completely reconstruct both sides of the exchange.

• In addition, security is added to secret generation since an attacker would have to successfully break not only the Diffie-Hellman exchange but also both RSA encryptions.

• This exchange was motivated by [SKEME].


RF

C 2

409,

sec

tion

5.3

• In this mode, the nonce is still encrypted using the public key of the peer, however the peer's identity (and the certificate if it is sent) is encrypted using the negotiated symmetric encryption algorithm (from the SA payload) with a key derived from the nonce.

• This solution adds minimal complexity and state yet saves two costly public key operations on each side. In addition, the Key Exchange payload is also encrypted using the same derived key. This provides additional protection against cryptanalysis of the Diffie-Hellman exchange.

• A HASH payload may be sent to identify a certificate if the responder has multiple certificates which contain useable public keys (e.g. if the certificate is not for signatures only, either due to certificate restrictions or algorithmic restrictions).


RF

C 2

409,

sec

tion

5.3

The symmetric cipher keys are derived from the decrypted nonces as follows.

• First the values Ne_i and Ne_r are computed:

Ne_i = prf (Ni_b, CKY-I) Ne_r = prf (Nr_b, CKY-R)

• The keys Ke_i and Ke_r are then taken from Ne_i and Ne_r respectively in the manner described in Appendix B used to derive symmetric keys for use with the negotiated encryption algorithm.


Initiator Responder----------- -----------HDR, SA, [ HASH(1),] <Ni_b>Pubkey_r, <KE_b>Ke_i, <IDii_b>Ke_i [, <Cert-I_b>Ke_i ] --> HDR, SA, <Nr_b>PubKey_i, <KE_b>Ke_r, <IDir_b>Ke_r, <-- HASH_RHDR, HASH_I -->

Mode agressif :


• Quick Mode is not a complete exchange itself (in that it is bound to a phase 1 exchange), but is used as part of the SA negotiation process (phase 2) to derive keying material and negotiate shared policy for non-ISAKMP SAs.

• The information exchanged along with Quick Mode MUST be protected by the ISAKMP SA -- i.e. all payloads except the ISAKMP header are encrypted.

• In Quick Mode, a HASH payload MUST immediately follow the ISAKMP header and a SA payload MUST immediately follow the HASH. This HASH authenticates the message and also provides liveliness proofs.


• Quick Mode is essentially a SA negotiation and an exchange of nonces that provides replay protection.

• The nonces are used to generate fresh key material and prevent replay attacks from generating bogus security associations.

• An optional Key Exchange payload can be exchanged to allow for an additional Diffie-Hellman exchange and exponentiation per Quick Mode.

• Base Quick Mode (without the KE payload) refreshes the keying material derived from the exponentiation in phase 1. This does not provide PFS. Using the optional KE payload, an additional exponentiation is performed and PFS is provided for the keying material.


Initiator Responder----------- -----------HDR*, HASH(1), SA, Ni [, KE ] [, IDci, IDcr ] --> <-- HDR*, HASH(2), SA, Nr [, KE ] [, IDci, IDcr]HDR*, HASH(3) -->


• HASH(1) is the prf over the message id (M-ID) from the ISAKMP header, concatenated with the entire message that follows the hash including all payload headers, but excluding any padding added for encryption.

• HASH(2) is identical to HASH(1) except the initiator's nonce -- Ni, minus the payload header -- is added after M-ID but before the complete message. The addition of the nonce to HASH(2) is for a liveliness proof.

• HASH(3) -- for liveliness -- is the prf over the value zero represented as a single octet, followed by a concatenation of the message id and the two nonces -- the initiator's followed by the responder's -- minus the payload header. In other words, the hashes for the above exchange are:

HASH(1) = prf (SKEYID_a, M-ID | SA | Ni [ | KE ] [ | IDci | IDcr )HASH(2) = prf (SKEYID_a, M-ID | Ni_b | SA | Nr [ | KE ] [ | IDci | IDcr )HASH(3) = prf (SKEYID_a, 0 | M-ID | Ni_b | Nr_b)


• If PFS is not needed, and KE payloads are not exchanged, the new keying material is defined as

KEYMAT = prf (SKEYID_d, protocol | SPI | Ni_b | Nr_b).

• If PFS is desired and KE payloads were exchanged, the new keying material is defined as

KEYMAT = prf(SKEYID_d, g(qm)^xy | protocol | SPI | Ni_b | Nr_b)

• where g(qm)^xy is the shared secret from the ephemeral Diffie-Hellman exchange of this Quick Mode.

• In either case, "protocol" and "SPI" are from the ISAKMP Proposal Payload that contained the negotiated Transform.


For situations where the amount of keying material desired is greater than that supplied by the prf, KEYMAT is expanded by feeding the results of the prf back into itself and concatenating results until the required keying material has been reached. In other words,

KEYMAT = K1 | K2 | K3 | ...

where

K1 = prf (SKEYID_d, [ g(qm)^xy | ] protocol | SPI | Ni_b | Nr_b)K2 = prf (SKEYID_d, K1 | [ g(qm)^xy | ] protocol | SPI | Ni_b | Nr_b)K3 = prf (SKEYID_d, K2 | [ g(qm)^xy | ] protocol | SPI | Ni_b | Nr_b)etc.


Btech admission in india

Education

Transcript of Btech admission in india